ISO/IEC27000: Boundary Defense

Most organizations deploy firewalls and IPS/IDS devices to protect organizations against attacks and intrusions. However, many of these devices are capable of not being properly configured. Nor do they account for every entry point into an organization’s network. This report will help organizations obtain critical information from firewalls, IPS/IDS devices, and remote access services, which can assist with identifying and securing potential blind spots.

The ISO/IEC 27002:2013 provides a framework that can be used to develop and enhance information security policies for any organization. Each security control and objective provided within the standard can be tailored to specific business and regulatory objectives, and assist with maintaining overall compliance. This report aligns with the ISO/IEC 27002 13.1.1 and 13.1.3 controls. Each chapter provides detailed information on various types of boundary devices, remote access devices, and suspicious events. This information can be used to gain awareness of potential security gaps, and improve an organization’s security posture.

Most network boundary devices do not offer complete protection against attacks. Even deploying multiple boundary devices can still leave security gaps, and place organizations at risk. Remote access services such as remote desktop, VPN, and SSH can leave the door open to unauthorized users or intruders. Monitoring internal resources for suspicious events, botnet activity, and port traffic can help to determine potential security gaps that need to be addressed.

The ISO Boundary Defense report provides critical information that organization’s can use to help strengthen network boundary devices. The Security Devices Summary chapter presents information on firewall and IPS/IDS events. Tenable’s Log Correlation Engine (LCE) collects event data from firewalls, IPS, and IDS devices, which can help to identify suspicious events across servers, workstations, and critical infrastructure devices.  Analysts can use this information to quickly address and remediate potential issues.  The Remote Access Summary chapter tracks events from remote desktop, SSH, VNC, and VPN devices. Events from unauthorized users, failed logins, intrusion attempts, and more are included within this chapter. Port summary events can help to track firewall evasion events, or uncommon ports that may be in use to gain internal access. The Events Summary chapter provides information on suspicious activity events being reported by devices forwarded logs to the LCE. This activity is compared to the current hour’s event rate for each IP address to the same hour in each previous day. The events in this chapter can report on network scanning, inbound or outbound network spikes, firewall changes, and intrusion events. Organizations will also be alerted to botnet activity, potential worm infections, and malicious connections.

This report is available in the Tenable.sc Feed, a comprehensive collection of dashboards, reports, Assurance Report Cards, and assets. The report can be easily located in the Tenable.sc Feed under the category Compliance & Configuration Assessment. The report requirements are:

• Tenable.sc 5.3.2
• Nessus 8.5.1
• LCE 6.0.0
• NNM 5.9.0

Tenable's Tenable.sc Continuous View (CV) is the market-defining continuous network monitoring platform. Tenable’s Log Correlation Engine (LCE) performs automatic discovery of users, infrastructure, and vulnerabilities across more technologies than any other vendor including operating systems, network devices, hypervisors, databases, tablets, phones, web servers, and critical infrastructure. Nessus is continuously updated with information about advanced threats and zero-day vulnerabilities, and new types of regulatory compliance configuration audits. Using Tenable.sc CV, the organization will obtain the most comprehensive and integrated view of its network devices and assets.

The report contains the following chapters:

• Executive Summary: The Executive Summary chapter presents an overview of firewall and IPS/IDS event activity on a network. The Top Firewall events by IP show top hosts events from various firewall events and devices. Events from firewall devices and services provide accurate details the analyst can use to identify potentially suspicious activity. Activity from IPS and IDS devices and services will provide targeted information the analyst can use to focus efforts on remediating potential attacks and intrusions. The ISO Asset Management Report provides a high-level overview of current hardware and software assets on a network. This report aligns with the ISO ISO/IEC 27002 8.1.1 and 8.1.2 controls, where all assets should be identified, accurate, and up to date.
• Remote Access Summary: The Remote Access Summary chapter tracks events from remote desktop, SSH, VNC, and VPN devices. Events from unauthorized users, failed logins, intrusion attempts, and more are included within this chapter. Port summary events can help to track firewall evasion events, or uncommon ports that may be in use to gain internal access.
• Event Summary: The Events Summary chapter contains charts and tables that report on suspicious activity from devices that are forwarding logs to the LCE. This activity is compared to the current hour’s event rate for each IP address to the same hour in each previous day. The events in this chapter can report on network scanning, inbound or outbound network spikes, firewall changes, and intrusion events. Organizations will also be alerted to botnet activity, potential worm infections, and malicious connections.